VYPR

Open Apis

by Haxtheweb

Source repositories

CVEs (9)

  • CVE-2026-46399CriJun 5, 2026
    risk 0.61cvss epss 0.00

    HAX CMS helps manage microsite universe with PHP or NodeJs backends. The PHP version of HAX CMS prior to version 26.0.0 has an authenticated file overwrite vulnerability. An attacker can exploit this vulnerability to configure malicious Git filter commands and achieve code…

  • CVE-2026-46496CriJun 5, 2026
    risk 0.60cvss epss 0.00

    HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the `` component. The component allows `javascript:` URIs in the `source`…

  • CVE-2026-46396CriJun 5, 2026
    risk 0.60cvss epss 0.00

    HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of `` elements. The application allows `javascript:` URIs in the `src` attribute, which…

  • CVE-2026-46395CriJun 5, 2026
    risk 0.60cvss epss 0.00

    HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the `hmacBase64()` function in the HAXcms Node.js backend contains two critical cryptographic implementation errors that together allow any unauthenticated attacker to extract the…

  • CVE-2026-46511HigJun 5, 2026
    risk 0.57cvss epss 0.00

    HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an attack chain utilizing Stored XSS alongside dynamic token exposure in the `/system/api/connectionSettings` endpoint allows an authenticated attacker to perform a complete…

  • CVE-2026-46391HigJun 5, 2026
    risk 0.57cvss epss 0.00

    HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 9.0.1 and prior to version 26.0.0 of @haxtheweb/open-apis, multiple functions conduct substring-only matching to validate hostnames to which basic authorization should be sent. An attacker…

  • CVE-2026-46393HigJun 5, 2026
    risk 0.46cvss epss 0.00

    HAX CMS helps manage microsite universe with PHP or NodeJs backends. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions prior to 26.0.0 allows authenticated users to fetch arbitrary internal or local resources and write the responses to a…

  • CVE-2026-46357MedJun 5, 2026
    risk 0.42cvss 6.5epss 0.00

    HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the HAX CMS NodeJS application crashes when an authenticated attacker sends a specially crafted site creation request to the createSite endpoint. A single request is sufficient to take…

  • CVE-2025-48996MedJun 2, 2025
    risk 0.27cvss 5.3epss 0.00

    HAX open-apis provides microservice apis for HAX webcomponents repo that are shared infrastructure calls. An unauthenticated information disclosure vulnerability exists in the Penn State University deployment of the HAX content management system via the `haxPsuUsage` API…